Cisco IPsec

Motivation and Study Techniques to help you learn, remember, and pass your technical exams!

CiscoCISSPCEHMore coming soon...

Visit us www.mindcert.com

Definition

Provides security services at the IP layerA framework of servicesAdds security to the upper layers in the OSI model By Implementing a new set of headers

Utilizes Security Associations (SA)One SA is required per directionA router to router IPsec VPN will use two SA's One in each direction

Two Frame Formats

Both change the datagramAuthentication Header AH

Encapsulating Security Payload ESP

Authentication Header

AHIP Protocol 51

ProvidesOrigin authentication Does a one-way hash of the packet

DOES NOT OFFER DATA CONFIDENTIALITY Encryption

SupportsTunnel Mode

Adds a new headerAuthenticates the whole new datagram

Transport Mode Authenticates the whole existing datagram

Not compliant with NAT As NAT changes the IP HeaderThe will break AH authentication

Encapsulating Security Payload

ESPIP Protocol 50

ProvidesConfidentiality Encryption

IntegrityOrigin Authentication

Supports

Tunnel Mode

Original datagram is placed in the encrypted ESP payload

Uses encrypted ESP headersCannot detect tampering whilst deliveredAlthough payload is fully secure

Transport Mode

Keeps the existing IP header and encrypts the original payload

Only authenticates the ESP header and payloadcannot detect tampering whilst deliveredAlthough payload is fully secure

Is Compliant with NAT

Two Protection Modes

Transport Mode

Protects the payload of the original IP datagramUsed for end to end sessions

Cannot be used When NAT is required

Tunnel ModeProtects entire datagramPlaces whole datagram in a new datagramWorks with NAT

Key Exchange

In IPsec, Key Exchange is provided by the Internet Key Exchange IKE

IKE provides scalability for exchanging keys between IPsec IKE is synonymous with ISAKMP

IKE has two phases

IKE Phase One

No security is currently in placeMaster secret is exchanged to authenticate the peersIKE Phase One sets the secure channel for the data encryption key exchange which is done in IKE Phase Two IKe Phase One negotiates IKE SAs

IKE SA parameters are agreed at Phase OneHashAuthentication

Two Modes

Aggressive Mode

Eliminates several Phase One steps

Faster but less secure Three way packet exchange

Typically used in Remote Access VPNs

Main Mode

Slower but more secure Six way packet exchange

Cisco devices use main modeCan respond to peers that use aggressive mode

Uses Diffie-Hellman (DH) to create the secure channel

IKE Phase Two

IKE negotiates the IPsec SAs and generates the required key material for IPsecTransform set and all other IPsec parameters are agreed at Phase Two

One Mode Quick Mode Reinitiates to refresh the SA

Perfect Forward Secrecy

PFSIf enabled, occurs at IKE Phase TwoCarries out a new DH exchange with each Quick Mode

Configuration

Step 1IKE Phase One

Enable ISAKMPRouter(config)#crypto isakmp enable

ISAKMP is enabled by default

Step 2

Define the ISAKMP policy

Parameters that are used during ISAKMP negotiation

Encryption

3DESDES

AES128-bit

1932-bit256-bit

HashMD5SHA

Authentication

Pre-ShareHave to set a pre-shared key

Router(config)#crypto isakmp key cisco123 address 1.1.1.1Would set the key cisco123 for the peer 1.1.1.1

RSA-EncrRSA-Sig

DH Group125

SA Lifetime60-86400 Seconds

Defaults

EncryptionDES56-bit

HashSHA

AuthenticationRSA-Sig

DH Group1768-bit

SA Lifetime86400 SecondsOne Day

Step 3

Configure the ISAKMP Identity methodRouter(config)#crypto isakmp identity {address | hostname}

OptionsIP AddressHostname

DefaultIP Address

Step 4

IKE Phase Two

Define IPsec Transform Sets

Router(config)#crypto ipsec transform-set myset esp-des esp-md5-hmacThis would create a transform set called myset

using ESP and DES for Encryptionusing ESP and MD5 for Authentication

You are then in crypto transform configuration mode

Further configurationRouter(cfg-crypto-trans)#mode {transport | tunnel}

Sets the mode to either Transport or TunnelDefault is Tunnel

Step 5

Define Crypto ACLCrypto ACL is the Access Control List that specifies the traffic to be sent over the VPN

Router(config)#access-list 199 permit ip host 1.1.1.1 host 2.2.2.2Would encrypt traffic with IPsec from host 1.1.1.1 to host 2.2.2.2

Step 6

Define Crypto Maps

Router(config)#crypto map mymap 10 ipsec-isakmpConfigures a Crypto Map with a sequence number of 10The Crypto Map will use ISAKMP

Crypto Map configuration commands

descriptionDescription of the Crypto Map

dialerDialer related commands

matchMatch crypto ACL

reverse-routeCommands for reverse route injection

set

peerIdentifies the IPsec peer

transform-setIdentifies which transform set to use

pfsUse PFS or not

security-associationSet SA parametersLifetime

Crypto maps pull together various parts used to set up the IPsec SAs

Types

StaticAll entries are pre-configured

DynamicEntries are configured dynamically as the result of IPsec negotiation

Apply the Crypto Map

Crypto Maps are applied to the interface where the traffic leaves and enters a router

You must apply the crypto map both the the physical and logical interface when using GRE tunnels